Researchers at **Lumen's Black Lotus Labs** and **PwC Threat Intelligence** have uncovered a sophisticated cyber-espionage campaign targeting telecommunications providers. The operation, active since at least mid-2022, is attributed to the **Calypso** threat group, also known as Red Lamassu. The threat actors reportedly impersonated their targets by setting up and using multiple telecom-themed domains. ### The Showboat Linux Malware The Linux implant used in these attacks, dubbed Showboat/kworker, is a modular post-exploitation framework designed for long-term persistence after initial compromise. The initial infection vector remains unknown. According to **Black Lotus Labs**, once Showboat is deployed, it collects host information and sends it to a command-and-control (C2) server. The malware can also upload/download files, hide its own process, and establish persistence via a new service. “One notable feature is the 'hide' command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as **Pastebin** or online forums for use as a ‘dead drop’,” **Lumen's Black Lotus Labs** researchers explain.  Its most notable function is acting as a SOCKS5 proxy and port-forwarding pivot point, serving as a foothold on compromised endpoints and enabling lateral movement within the internal network.  ### The JMFBackdoor Windows Malware **PwC Threat Intelligence** analyzed Red Lamassu's infection chain on Windows, noting that it starts with the execution of a batch script that drops payloads to stage a DLL-sideloading procedure (fltMC.exe + FLTLIB.dll). The final payload, **JMFBackdoor**, is then loaded.  According to the researchers, **JFMBackdoor** is a full-featured Windows espionage implant with the following capabilities: * **Reverse shell access:** Remote command execution. * **File management:** Upload, download, modify, move, and delete files. * **TCP proxying:** Uses the victim system as a network relay into internal systems. * **Process/service management:** Start, stop, create, or kill processes and services. * **Registry manipulation:** Modify Windows registry keys and values. * **Screenshot capture:** Take screenshots of the victim's desktop and encrypt them for exfiltration. * **Encrypted configuration management:** Store/update malware settings in encrypted configs. * **Self-removal and anti-forensics:** Hide activity, remove persistence, and delete traces. Infrastructure analysis suggests that the hackers follow a partially decentralized operational model, in which multiple clusters share similar certificate-generation patterns and tooling but target distinct victim sets. **Lumen** concludes that the tooling is likely shared across multiple China-aligned threat groups, each targeting different regions and using the same malware ecosystem.